curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity
blog/source/threat-hunting/protected-group-monitoring.md

22 lines
832 B
Markdown
Raw Blame History

---
title: Protected Group Monitoring
layout: page
date: 2025-07-27
---
Description: Monitor new account with adminCount=1.
References: [1](https://learn.microsoft.com/en-us/windows/win32/adschema/a-admincount), [2](https://blog.netwrix.com/2022/09/30/admincount_attribute/), [3](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory)
SPL:
```spl
index="ldapsearch" destCsv="hourly_adminCount.csv" adminCount=1
| join type=left sAMAccountName domain
[ | inputlookup ad_users.csv
| search adminCount=1
| rename adminCount AS wasAdmin
| table sAMAccountName domain wasAdmin]
| search NOT wasAdmin=1
| rename domain AS Domain, sAMAccountName AS User, displayName AS Name, mail AS Email
| table Domain, User, Name, Email
```
Reference in New Issue View Git Blame Copy Permalink